The distributions of individual bits in the output of multiplicative operations

Abstract

A difference-of-means test applied to acquisitions of the instantaneous power consumption has been shown to be a suitable means of distinguishing a multiplication from a squaring operation over the integers. This has been attributed to the difference in expected Hamming weight of the output of these operations but few details are present in the literature. In this paper we define how this difference occurs and show that, somewhat surprisingly, a difference can, for some moduli, still be observed after a modular reduction. Moreover, we show that this difference leads to a practical attack under reasonable assumptions where a modulus is blinded. The presented attack goes beyond the cryptographic primitive and applies to concrete provably secure implementations, including RSA-PSS for signature generation or RSA-OAEP for encryption that uses side-channel countermeasures.

Keywords

Side-channel analysis Exponentiation algorithms

This work was conducted while the author was employed by the Cryptography Group at the University of Bristol.

Notes

Acknowledgments

The authors would like to thank the anonymous referees for their detailed and perceptive comments. The work described in this paper has also been supported in part the European Commission through the ICT Programme under Contract ICT-2007-216676 ECRYPT II and the EPSRC via grant EP/I005226/1.

Appendix: A Pr [Zs=1] for multiplication in \(\mathbb {Z}\)

Following the notation we define in Section 3.1. We define Ys as the sum of the bits of the s-th column, and Ws as the number of lines present in the addition described above, i.e. the Hamming weight of the s least significant bits of the result of a multiplication.

Again, we define Ds−2 as the carry produced from the (s−2)-th column and let \(\kappa = {\sum }_{i=0}^{\lfloor (s-2)/2 \rfloor } \Pr [D_{s-2} = 2\,i]\). We note that the result of the sum of a given column will be even, and the result will impact the next column, then

Appendix: C The discrete logarithm problem

We recall the discrete logarithm problem:

Definition 1

Let α∈G, for some Abelian group G, and suppose α∈〈β〉. The discrete logarithm logαβ is the unique integer x such that 0≤x≤ord(α)−1 and αx=β. The Discrete Logarithm Problem (DLP) is to compute logαβ, given α and β.

In a side-channel analysis of a given instance of an exponentiation algorithm the results can only give the best guess of the exponent. Stinson describes a variant of the Baby-Step/Giant-Step algorithm where it is assumed that the exponent has a small Hamming weight [27]. Stinson’s algorithm requires the existence of a means of splitting a string of bits into two sets of equal Hamming weight.

Lemma 3

We consider an integer of bit length m, as a string of bits of length\(m \in 2\,\mathbb {Z}\)and Hamming weight 0<t<m. There will exist a set of contiguous bits with Hamming weight ⌊t/2⌋.

We present a somewhat simplified version of Stinson’s proof:

Proof

We begin with the case where t is even. Let X be an string of bits of length m with Hamming weight \(t \in \ 2 \, \mathbb {Z}\). Let each Yi for i∈{1,…,m/2} represent one of the m/2 sets of contiguous bits starting from the i-th bit of the string. Let H be a function that returns the Hamming weight, then H(Y1)=t−H(Ym/2). Given that H(Yi)−H(Yi+1) will be in {−1,0,1} there will be some set of contiguous bits with Hamming weight m/2. If t is odd then the first bit can be ignored as it will be set to one given the bit length is known putting us the case described above. Hence, one can find one set of Hamming weight ⌊m/2⌋ and the other of ⌈m/2⌉.

This is sufficient for our requirements. We refer the reader to Stinson for versions of this proof where m is odd [27].

Given an estimate for the exponent x′ where x=x′⊕e, for some unknown e of Hamming weight t, we can attempt to determine x by guessing e. We let zi denote the ith bit of z for an n-bit number z. Given an n-bit number z we define the vector z̈ as follows

If we set \(\beta ^{\prime } = \alpha ^{x^{\prime }}\), then given a proposed value of e, such that x=x′⊕e, we can test whether it is correct by checking whether we have β=β′⋅αë . The error e can be divided into two sets e1 and e2, where e1 and e2 have a Hamming weight of t/2 given by a splitting algorithm. We also define a and b as two integers such that x′=a+b and the only bits that can be set to one for a and b are at the indexes defined by the splitting algorithm for e1 and e2 respectively. Then \(\alpha ^{x} = (\alpha ^{a} \, \alpha ^{\mathring {e}_{1}}) (\alpha ^{b} \, \alpha ^{\mathring {e}_{2}})\).

We produce a list of error vectors of Hamming weight t/2 where we define the i-th error from the set of possible errors e1 as ei,1. We define the Giant-Steps to be the table which consists of all pairs \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}}, a + \mathring {e}_{i,1} \right ) \, \), for all ei,1. We define the Baby-Steps as pairs \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}}, b + \mathring {e}_{j,2} \right )\) , for all ej,2. As in the Baby-Step/Giant-Step method we can terminate the method when a collision is found between \(\left (\frac {\beta }{\alpha ^{a} \, \alpha ^{\mathring {e}_{i,1}}} \right )\) and \(\left ({\alpha ^{b} \, \alpha ^{\mathring {e}_{j,2}}} \right )\) for a given i,j. We can then derive the exponent as x=(a+ëi,1)+(b+ëj,2).

For an m-bit exponent one would be required to compute \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{t/2} \end {array}\right )\) Baby-Steps for an error of Hamming weight t. The above assumes that t is even. If t is odd then the extra bit can be assigned, arbitrarily, to the computation of baby steps. The required computation then becomes \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor } \end {array}\right )\)Giant-Steps and \(\left (\begin {array}{c}{m}\\{\lfloor t/2 \rfloor + 1} \end {array}\right )\) Baby-Steps for an error of Hamming weight t.

Other than the inclusion of an initial guess this algorithm is defined by Stinson [27], and has time complexity of \(\mathcal {O} \left (m \, \left (\begin {array}{c}{m/2}\\{t/2} \end {array}\right ) \right )\). However, this assumes that t is known.

Typically, t is not known and an adversary has to start with t=1 and increase the Hamming weight until t is found. One would expect the resulting time complexity to be \(\mathcal {O} \left (m {\sum }_{n=0}^{t} \left (\begin {array}{c}{m/2}\\{n/2} \end {array}\right ) \right )\). However, by Lemma 3 we can ignore the cases where n is odd. Since the required baby and giant steps will be computed for the cases n−1 and n+1. The resulting time complexity is therefore \(\mathcal {O} \left (m {\sum }_{n=0}^{\lceil t/2 \rceil } \left (\begin {array}{c}{m/2}\\{n} \end {array}\right ) \right )\) when t is unknown.

To derive a private exponent used in RSA [25] the order is not known and the above analysis cannot be applied directly. If we define γ to be the maximum possible bit length of ord(α). Then the problem can be rewritten as αγ+1αx=αγ+1β. Then the inverse of αb can be replaced by αγ+1−b [28].